CIO Asia - Security Issues in the Financial Sector

A wake-up call to the financial services sector: It is time to review and rethink IT security.
By Tan Shong Ye
PWC

Security for banks is a huge issue. A day rarely passes without a press report relating to a security breach or issue. Banks are now facing increasing security threats to their people, assets and operates from diverse sources such as:-

* Terrorism
* Financial fraud, both internal and external
* Organised crime, including money laundering
* Numerous information threats (i.e. hackers and computer viruses)

The level and complexity involved in managing such a diversity of threats means that security has become a significant or an increasing cost component of doing business for banks.

How big an issue is security? Unfortunately, many organisations need to experience the significant impact of a negative security event before realising that security is a huge issue. Of course, by then it is too late.

Specifically, security is a huge issue in Asia. In The State of Information Security 2004 Worldwide Study by CIO (U.S.) magazine and PricewaterhouseCoopers released in October 2004, it was found that Asia and South America trailed North America and Europe in IT security and best practice implementation.

The study also revealed that 75 percent of Asian companies—a figure higher than any region (vs. 67 percent North America, 65 percent Europe)—had suffered downtime due to security lapse in the past one year. This was probably due to the rapid rise in IT deployment in Asia without a corresponding increase in focus on IT security management.

Banks Need Special Care
A particular and topical area is Internet banking. Many retail banks have recently suffered a wave of attacks, whereby fraudsters send out e-mails directing customers to fake websites and requesting them to enter their passwords and other details. This form of security attack, more commonly known as Phishing, has resulted in significant losses.

The main impact, however, is not in the losses but the investment of banks’ resources responding to these attacks. Banks are also concerned that fears over security are slowing the uptake of Internet banking by their customers. As a result, some banks, for example are now seriously considering rolling out stronger authentication measures to their Internet banking customers. However, this slows access, which affects ease and attractiveness of use and increases the costs in providing such services.

Banks must also comply with an increasing level of legislation relating to security. These include various anti-money laundering legislation, as well as various data privacy requirements of certain countries. Banks in Singapore should be mindful of the Monetary Authority of Singapore (MAS) Internet Technology Risk Management Guidelines issued in June 2003, and the Technology Risk Management Guidelines for Financial Institutions issued in November 2002. For outsourced functions, banks need to be compliant with the confidentiality and security requirements in the newly released Guidelines on Outsourcing issued by the MAS in October 2004.

Furthermore, security and fraud-related losses form a significant component of most financial institutions’ operational loss exposures under new regulatory capital approaches being introduced by Basel II. In addition, to ensure the appropriateness of their design and operational effectiveness, there is also a need for management to reassess security controls; this is a key aspect of Sarbanes-Oxley Section 404 compliance for SEC registrants.

Risk Impact
What is the best way to address security risks and how will it impact the business?

It is becoming more common for organisations to strive for a “best fit” solution, as opposed to obtaining “best practice” in every security-related matter. Conforming to a set of best practices can be an extremely expensive exercise that does not necessarily deliver business benefits equal to or greater than the resources expended to get there.

A best-fit model is, instead, about understanding what the risks are and applying the most appropriate risk mitigation strategy to reduce them, as opposed to applying best practice processes regardless of the associated risk.

Security has often been focused on the concept of exclusion (i.e. preventing unauthorised access to internal resources). However, in the banking environment where Internet-based applications are deployed by customers, employees, and other business partners, security is also about appropriate inclusion (i.e. allowing access to the right people). It is critical to strike the right balance between keeping the security risks at bay and not impacting the business so much that its competitive edge suffers.

To address these risks, banks need to address their security risks at a number of different levels:

* Get the governance right. To respond effectively and efficiently to the growing number of security threats, a coordinated response across an organisation is required.
* Integrate with wider risk management practices. To be effective, security risk analysis processes have to be integrated with an organisation’s overall risk framework. This is vital to ensure buy-in from management and the business. This also means that for banks to be accredited at the highest operational risk level available under Basel II—the Advanced Measurement Approach—the security risk management approach has to meet a number of qualitative standards in common with other elements of operational risk.
* Enable the business. Establishing robust data classification models and identity management processes and systems are key to successfully maintaining security while, at the same time, allows organisations to get closer to their customers.
* Build security awareness. Raising the awareness of security in an organisation is often a challenge but is vital for developing a strong security culture.

In conclusion, the ever-increasing threats to banks coupled with developments around risk governance, control and assessment indicate a timely need for management to rethink the way that security is viewed.

Tan Shong Ye is Partner and Head of Security & Technology Practice at PricewaterhouseCoopers.